Remote and flexible working policies are increasingly popular, but put companies at huge risk when it comes to cyber security. If starting your own business, these pointers could be useful.
IF YOU’RE A MODERN, PROGRESSIVE COMPANY, IT’S highly likely you’ve got some sort of flexible remote working policy. Unfortunately, with this greater freedom comes greater risk, and remote workers are often the brittle link in a business’s security chain. Employees in general, according to beleaguered IT professionals, are lackadaisical about security software, lackluster about the Wi-Fi they use, and apathetic about their physical security too; writing their passwords on Post It notes and sticking them blatantly on their laptops.
And cyber security is not something to be ignored.
“Cyber-attacks are increasing exponentially,” explains Lukas van der Merwe, a specialist sales executive for security at T-Systems South Africa. Working globally, T-Systems picked up a peak of four million cyber-attacks in 2017. In 2019, this number was a breath-taking 53 million. Every IT security expert interviewed for this article viewed a cyber breach as a matter of when, not if, for most companies.
Remote work is also on the rise. Says Johnny Kromer, a technology executive at Nashua Communications: “We have definitely seen an increase in remote workers, almost all customer solutions today have to be installed with a different percent of mobile access.”
So, how do remote workers open you up to ransomware, phishing, hacking and general cyber security lawlessness?
There are two broad divisions to be made here: digital and physical.
DIGITAL
Remote workers make you vulnerable simply by taking their devices out of the safe online space your IT department has set up in the office, and recklessly using the free Wi-Fi available at most coffee shops. Nothing that’s free is really free, as they say, and the cost of using free Wi-Fi to access your email, client information and more means you open the fence and share your online picnic blanket with a bunch of randoms who might have their eyes on your data. Since public Wi-Fi is unencrypted, it’s easy for hackers to target the individuals using it.
Remote workers are also at a risk of falling for email phishing scams, as generally most of their communication is done via email with their company.
Van der Merwe has helped clients recover from cleverly crafted phishing mails that made it all the way to the CFO for sign-offs on large amounts of money, authentically copying documents and even signatures from the inboxes they had access to. One client lost R1 million ($69,000) to such a scam.
There are some simple things that companies and individuals can do to reduce hacking risks – a) setting up a VPN, or virtual private network, which allows workers to safely access the internet from any Wi-Fi connection; b) Ensuring workers have adequate anti-virus software. This is a bit of a pain point as many remote workers use their own devices and are reluctant to give their companies access to their computers, but this should be a non-negotiable requirement. c) Password documents that list every login are a huge no-no – with most corporates not realizing that these documents are available to anyone on the internet (if saved incorrectly on the Cloud). It is recommended you rather use an online password program that is encrypted; d) 2-factor authentication for logins is one of the easiest ways to secure access, and you can set it for most online programs through their security settings (including social media like Facebook); e) Set up BYOD (bring your own device) policies with strict rules around security measures and the ability to remotely wipe a device, whether a phone or laptop.
PHYSICAL
The other risk is taken far less seriously, with most companies focusing on their digital perimeter rather than any physical one. Some physical risks include:
a) Open laptops when heading to the loo: best practice is to enable auto-locking after a certain period of inactivity; b) Over-the-shoulder hacks: don’t, for example, work on vulnerable files in a public space like the Gautrain (rail service in Johannesburg) where people can peer over your shoulder;
c) Eavesdropping: ever said your ID number or password out loud in a coffee shop? Yeah, don’t do that; d) Unshredded documents: you could have your identity stolen through unshredded documents – this is a real risk; e) Passwords physically written down: the Post It note password on your laptop is a terrible idea.
BEHAVIOR CHANGES
“Train staff, then train them some more! Most companies could do more security training and still be unprepared,” says Jon Tullett, a senior research manager for IT services sub-Saharan Africa, at IDC South Africa. “An employee who sees security as an impediment is on the side of the attacker, since they’re likely to circumvent safeguards in the name of productivity.” Businesses need to make security a priority with clear policies in place, and regular training of staff. Overall, internet security is something companies should take far more seriously. Every expert interviewed was horrified at the belligerent indifference most businesses take to their vulnerabilities, and everyone viewed breaches and security scares as a certainty in the next few years. South Africa has already had its taste of this,
with government departments, newspapers and ISPs (internet service providers) alike all coming under fire in 2019 alone. As Van der Merwe says, “Most people trade off convenience for security.” But be one of those people at your own risk.
IF THE WORST HAPPENS… BUSINESS (CYBER) INSURANCE
Vera Nagtegaal, executive head of Hippo.co.za, says that your insurance should look at the following aspects:
REPLACEMENT COST: Insure your tech items for the value of replacement and not necessarily what you paid for it.
WHAT’S INCLUDED IN COVER: Should you insure your laptop, enquire whether there will be cover provided for software as well, as this can be quite costly, and find out what kind of damage is covered.
CLAIMS TURN-AROUND TIME: Some providers can authorize and/or pay out a claim within two to 24 hours, others take a few days and some could take even longer.
REPLACEMENT PROVIDERS: Enquire about the service providers they use to replace your cell phone and research reviews to ensure they are reputable and have good warranties on new devices.
-by Samantha Steele